frist bug CVE-2024-45231/

in rest password https://box.tickets.mgm.mo /accounts/password/reset/ if u can add any mail in reest pass if this mail in the db server he will send 302 and mawil send to the mail if the mail not found in db he will send and 200 ok and error html

i found and admin@tickets.mgm.mo and u can find all users mails in the mgm and no raet limit u can send 10000000000 rest pass mail ------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------

bug 2 u can sign up or register as a admin@tickets.mgm.mo by using a.dmin@tickets.mgm.mo and any rest ot by a tickets send to real mail and hacker can downloud it form the web in /mytickets

u can see i found an idor tell me number off the user 693579 then u can login with the fake admin

u can dowloud or send thie tickets and by a tickets and any ticket u by its end to the real admin mail

u can make a fake admn tickets that show like the real one

or u can make alot off thing u can make update profile or reset pass or delete acc aLL OFF THIS MAIL SEND to the real admin@tickets.mgm.mo but the the impact happend in the fake mail a.dmin@tickets.mgm.mo